[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption

To: Wiebe Cazemier <wiebe@halfgaar.net>
Subject: Re: Forcing TLS encryption
From: Kurt Zeilenga <Kurt@OpenLDAP.org>
Date: Fri, 28 Dec 2012 13:25:27 -0800
Cc: Dieter Klünter <dieter@dkluenter.de>, Philip Guenther <guenther+ldaptech@sendmail.com>, openldap-technical@OpenLDAP.org
In-reply-to: <1097916365.15338.1356728184208.JavaMail.root@halfgaar.net>
References: <985577790.9606.1356102006319.JavaMail.root@halfgaar.net> <634F18FA-7BB5-4D83-9C02-EE46CFE6298C@oracle.com> <288778360.11025.1356340479288.JavaMail.root@halfgaar.net> <20121227155321.045a9e29@violet.avci.de> <1438144113.14442.1356682491834.JavaMail.root@halfgaar.net> <alpine.BSO.2.00.1212281229001.27566@morgaine.smi.sendmail.com> <1097916365.15338.1356728184208.JavaMail.root@halfgaar.net>

On Dec 28, 2012, at 12:56 PM, Wiebe Cazemier <wiebe@halfgaar.net> wrote:

> ----- Original Message -----
>> From: "Philip Guenther" <guenther+ldaptech@sendmail.com>
>> To: "Wiebe Cazemier" <wiebe@halfgaar.net>
>> Cc: "Dieter Klünter" <dieter@dkluenter.de>, openldap-technical@openldap.org
>> Sent: Friday, 28 December, 2012 9:36:50 PM
>> Subject: Re: Forcing TLS encryption
>> 
>> On Fri, 28 Dec 2012, Wiebe Cazemier wrote:
>>> I understand that, but this way, even when you're forcing TLS,
>>> users can
>>> still expose their passwords if their computers are mal-configured.
>>> SMTP, IMAP, FTP, etc don't allow this, because they reject the
>>> connection if LOGINNAME is given before STARTTLS.
>> 
>> That is not true of SMTP's AUTH PLAIN, IMAP's AUTHENTICATE PLAIN, or
>> IMAP's LOGIN.  The PLAIN SASL mechanism and IMAP's LOGIN command both
>> send
>> the username and password without waiting for a response from the
>> server**.
>> 
>> 
>>> It's kind of a security issue. Is it because in LDAP, username and
>>> password are given as one command, and the server doesn't have the
>>> chance to abort at that point? If so, then I guess it's
>>> unavoidable.
>> 
>> Correct.
>> 
>> 
>> Philip Guenther
>> 
>> ** Well, to be completely accurate, IMAP AUTHENTICATE requires a
>> server
>> response if the server doesn't support the SASL-IR capability
>> 
>> 
> 
> Then why is the LDAPS port deprecated? If the connection is SSL from the start, you don't have this issue.

You still have the issue that the client might be configured for ldap://host:636 and Simple Bind or SASL PLAIN (generally by user mis-configuration).

In short, nothing in the server can prevent a poorly coded or poorly configured client from disclosing a user password in appropriately. 

ldaps:// was never standardized and hence deprecated.  There were many reasons why the IETF choose not to standardize ldaps://, one being interoperability issues between pre-existing implementations...  another being that it viewed as not needed.

-- Kurt

References:
- Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Chuck Lever <chuck.lever@oracle.com>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

Prev by Date: Re: Forcing TLS encryption
Next by Date: Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
Index(es):
- Chronological
- Thread